Exchange 2010 Certificate error The Certificate Status could not be determined because the revocation check failed

This guide is for a Lab environment scenario where we have Exchange 2010 setup and we need a certificate to make OWA / Autodiscover work in Lab.
When we Install a RootCA (standalone) and generate a certificate for our use initially it works without issues until the certificate is imported in Exchange and get the error “The Certificate status could not be determined because the revocation check failed”
This happens coz of CRL Distribution Point URL, which are configured under the CA server properties / Extensions tab and Certificate Revocation settings.

This is the default settings for “Extensions” on Root CA server. (screenshots taken from a another Server)


This is the default settings for CRL on Root CA server. Right click “Revoked Certificates” Node and select properties.

Lets change these values to work for us.
1st Step, we will set the Configuration Naming Context which will be used in the CRL path.
Start Command Prompt (CMD) and run the following 1 line commad:

certutil –setreg CA\DSConfigDN CN=Configuration,DC=vhomelab,DC=com

Replace DC=vhomelab,DC=com to your domain name.

2nd step, we will change the settings under “Extensions” tab.

3rd Step, change settings under “Revoked Certificates” properties.
Now, restart the certificate service.

Again right click “Revoked Certificates” and select “Publish” from “Tasks”
This will publish the new CRL with the changes that we made.

Now, go to the Domain Controller and browse the Certificate server using browser (http://YourRootCA/certsrv) and download “CA Certificate” and CRL. (save it on C:\)

From CMD, execute 2 commands: Certutil –addstore –f Root RootCert.cer and Certutil –addstore –f Root RootCRL.crl

This will add Root Certificate and CRL to trusted Root Certificate on DC.
Now we will publish the Root Certificate and CRL to AD DS using commands as follows.

Certutil –dspublish –f RootCert.cer RootCA


Certutil –dspublish –f RootCRL.crl



Now, generate a certificate request from from Exchange Management Shell. (you can use GUI as well)
New-ExchangeCertificate -FriendlyName ‘Ex2010-Cert03’ -GenerateRequest -PrivateKeyExportable $true -KeySize ‘2048’ -SubjectName ‘C=BH,S=”State”,L=”City”,O=”vHomelab”,OU=”IT”,’ -DomainName ‘’,’’,’’,’’ -Server ‘CAS-A’

Request from a certificate.

Complete the certificate request in Exchange Management console.
And, Done!.
If you check the certificate by double clicking it, and under details, see the CRL distribution points,
1st, the command that we ran for Configuration Naming Context, that was to get the CRL path configured properly as shown below.

Hope this has helped you in some ways.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s